Your TikTok Account Can Be Easily Hacked. Learn Why TikTok Isn’t Safe Anymore?

In the social media age, see how ‘TikTok’ has left its user privacy and data vulnerable. Hackers are Manipulating Your TIKTOK Videos for Fake Content using a simple trick.


5 min read
Your TikTok Account Can Be Easily Hacked. Learn Why TikTok Isn’t Safe Anymore?

Tiktok is emerging as the new darling of the social media world. You may love it or hate it, but definitely can’t ignore this viral phenomenon. From Gen Z to millennials to even celebrities are signing up to be a part of Tiktok Community. But since its launch, the app has been surrounded by many controversies revolving mainly around user privacy and data security. Some recent examples include parental concerns, Chinese origin debate, text messages scam and many more. Though the youth and social media addicted population may not care about such news, the cybersecurity experts are backing this claim with new research every month.

Earlier in January, 2020 a cybersecurity firm, CheckPoint uncovered a grave risk for TikTok users where cyber-crooks found a way to access user personal and post data. This security flaw included:

  • Access user personal details like email, date of birth, address etc.
  • Access to user posts/ content and ability to:
  • Delete
  • Switch private videos to public
  • Swap existing/ new videos with fake ones
  • Leak your content to X-rated sites

This issue was then reported to ByteDance, TikTok’s parent company, who soon fixed it in their next update.

Later, App Developers Tommy Mysk and Talal Haj Bakry published a paper unfolding yet another TikTok risk for iOS users that enabled the app to spy on iPhone and iPad clipboard.

Now with Coronavirus global lockdown, the app is currently thriving with maximum user engagement. But this activity is not just limited to normal profile holders, the trending platform has attracted hackers too. The developer duo, Mysk and Bakry, have discovered yet another Tiktok vulnerability where hackers are swapping user videos with fake content.

How TikTok Videos Are Getting Hacked? - For Beginners

Tiktok has done pretty well for itself in a span of two and half years, garnering over 1 billion active users in 150 markets and 70+ languages worldwide. That’s why these ongoing risks to the App’s security should be an alarming concern for users who are busy going about making viral videos every day.

Mysk and Bakry recently conducted a research and established that hackers have found a backdoor in the application’s architecture. They point out that like most social networks TikTok uses Content Delivery Networks (CDNs) for better storage and functioning of abundant media files. But they choose to transfer the video and other files over HTTP instead of HTTPS. For those who aren’t technically aware of the difference, HTTPS uses encryption for any requests and responses, while HTTP doesn’t. In simpler terms, HTTPS is 100 times more secure than the latter.

TikTok HTTP Vulnerability

So why exactly has TikTok opted for this unreliable protocol? Well, mainly because HTTP provides a faster data transfer and speed performance. But is it worth putting your users’ privacy in jeopardy? We certainly don’t think so.

How to Hack TikTok? – Deep Analysis

Analyzing the shortcomings of HTTP and how it provides an unsafe route for file transfer, it becomes pretty easy to swap the load. All it takes is a common shared Router! A router is the general reference point between the App and CDNs in this scenario. This gives complete data access to anyone who has control of your router directly or indirectly. Typically, the main direct parties who can be involved are:

  • Public Wi-Fi Operators
  • Internet Service Providers (ISPs)
  • VPN Providers
  • Intelligence/ Federal Agencies (depending on your country policies)
  • Hackers (obviously)

This kind of manipulation is known as ‘Man-in-the-Middle’ (MITM) Attack where the content is altered during transmission. So imagine this, you are uploading a lip-sync video to the latest pop-anthem, but what gets posted is a fake public announcement. What, How, When… Well, you just got HACKED!!!

TikTok Man in the middle attack

Swapping TikTok Videos Hack – Technical Methodology

The Man-in-the-Middle trick in the current scenario requires a multi-level hack. For this the researcher duo analyzed Tiktok’s network traffic through Wireshark and found that the videos are downloaded from MUSCDN.com with multiple sub-domains following a similar pattern. One of which is http://v34.muscdn.com (This particular server was used for the purposes of the research).

  1. First and foremost, they created a mirror server of TikTok CDN server http://v34.muscdn.com
  2. Then, on their fake server they uploaded fake videos which they wanted to circulate
  3. Next, they exploited the target’s local router to write the DNS record for http://v34.muscdn.com and pointing the IP to their fake server
  4. By now we’re already familiar where the swapping occurs

In their own words “Our fake server impersonates TikTok servers, the app cannot tell that it is communicating with a fake server. Thus, it will blindly consume any content downloaded from it.”

Tiktok vulnerability

Note:

  1. Mysk and Bakry also had access to the profile pictures and still images folders, but left that out of this experiment.
  2. This research was also carried out on Facebook, Twitter, Instagram, Snapchat and Youtube. But they passed in flying colors with 0% HTTP traces.

Hacking TikTok – Demonstration

The above video is the proof demonstration behind this TikTok vulnerability by the researchers - Mysk and Bakry. To prove their hypothesis, they choose to make a statement by hacking into the verified accounts of:

  • World Health Organization (WHO) - @who
  • American Red Cross - @americanredcross
  • British Red Cross - @britishredcross
  • TikTok - @tiktok
  • Loren Gray - @lorengray
  • Dalia - @dalia

They used the same exact process to upload a fraudulent video with misleading information/ facts about COVID-19.

TikTok vulnerability Corona Fake News

How to Secure Your TikTok Account?

The fame and popularity of this social networking giant seems to have aggravated cyber-attackers for their personal fun and maybe publicity. But you don’t have to fall prey to this hack. Here are a few precautions you can take to keep a check your your TikTok data privacy:

  1. Always keep your app up-to-date, in case TikTok has identified and fixed any latest  issues
  2. Avoid using public networks. Prefer connecting to your home/ trusted wi-fi or mobile data
  3. Secure your personal network with strong encryption keys

We hope you got aware and smart about TikTok after reading our article. To go through the full detailed article from Mysk and Bakry themselves, click here.

Please comment below, which topic do you want us to cover next.

Follow us on Telegram and Twitter for all such latest cybersecurity news and updates.

Related Articles

GO TOP

🎉 You've successfully subscribed to Hack Reports!
OK